Bug 212162 - X server can be started without console ownership [NEEDINFO]
X server can be started without console ownership
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: xorg-x11-server (Show other bugs)
21
All Linux
medium Severity medium
: ---
: ---
Assigned To: Adam Jackson
: Reopened, Triaged
Depends On:
Blocks: fedora-x-target
  Show dependency treegraph
 
Reported: 2006-10-25 09:29 EDT by jjaakkol
Modified: 2015-11-04 15:08 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 500469 (view as bug list)
Environment:
Last Closed: 2015-11-04 15:08:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
thoger: needinfo? (ajax)


Attachments (Terms of Use)

  None (edit)
Description jjaakkol 2006-10-25 09:29:56 EDT
Description of problem:

Hello from University of Helsinki.

Starting X server does not require console ownership anymore (older
redhat/fedora x-server packages did). This allows remote users (via ssh) to
start software at console and causes at least the following security problems:

1. Needlessly exposes servers to which users have no console access, but can
remotely login to X server and graphics driver security bugs
2. Allows remote console hijacking (and after that spoofing screensaver or login
programs which prompt passwords)
3. Can be used to cause nuisance in classroom configurations.

2. and 3. are probably not a general problem, but we here in University of
Helsinki are using Fedora Core at our linux classrooms. 

I know I can just chmod u-s /usr/bin/Xorg, but giving local console users the
ability to start their own X-servers is a useful feature (we do not yet use *dm
and do not want to be forced to switch).

So, I'd like a fix that either patches X server to do pam-authentication (again)
or have X server lose its suid bit and install a small wrapper program which
does the authentication or just checks that user has console access (I am going
to implement the latter myself).

Version-Release number of selected component (if applicable):

xorg-x11-server-Xorg-1.0.1-9.fc5.5

How reproducible:

Login remotely and do /usr/bin/Xorg :1
  
Actual results:

X server starts.

Expected results:

Starting X server should be denied.

Although this bug is security related, I did not check the "security sensitive"
checkbox. This is rather obvious after all and not critical.
Comment 1 Adam Jackson 2007-01-24 21:21:36 EST
This ought to just work; looks like we missed the -DUSE_PAM during modularization.
Comment 2 Bug Zapper 2008-05-13 22:25:54 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 3 Tomas Hoger 2009-02-18 06:15:18 EST
Besides of the additions of -DUSE_PAM and addition of the pam-devel BR, following changes will be needed as well:

- Xorg uses xserver as a service name.  However, /etc/pam.d/xserver is currently part of xorg-x11-xdm, even though xdm does not seem to use it.  This will likely need to get moved to xorg-x11-server.

- xserver file will need to be re-introduced in /etc/security/console.apps/, so the console user can start Xorg even when some other user is currently a console user.
Comment 4 Bug Zapper 2009-06-09 05:11:03 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 5 Matěj Cepl 2009-11-05 13:18:37 EST
Since this bugzilla report was filed, there have been several major updates in various components of the Xorg system, which may have resolved this issue. Users who have experienced this problem are encouraged to upgrade their system to the latest version of their packages. For packages from updates-testing repository you can use command

yum upgrade --enablerepo='*-updates-testing'

Alternatively, you can also try to test whether this bug is reproducible with the upcoming Fedora 12 distribution by downloading LiveMedia of F12 Beta available at http://alt.fedoraproject.org/pub/alt/nightly-composes/ . By using that you get all the latest packages without need to install anything on your computer. For more information on using LiveMedia take a look at https://fedoraproject.org/wiki/FedoraLiveCD .

Please, if you experience this problem on the up-to-date system, let us now in the comment for this bug, or whether the upgraded system works for you.

If you won't be able to reply in one month, I will have to close this bug as INSUFFICIENT_DATA. Thank you.

[This is a bulk message for all open Fedora Rawhide Xorg-related bugs. I'm adding myself to the CC list for each bug, so I'll see any comments you make after this and do my best to make sure every issue gets proper attention.]
Comment 6 Tomas Hoger 2009-11-09 11:23:56 EST
Not another zapper round...

It's still true with up to date F11.  I don't have good enough F12 install to do a quick test, but the test is quite trivial.
Comment 7 Tomas Hoger 2010-04-15 09:22:52 EDT
F12+ now has /etc/pam.d/xserver in xorg-x11-server-Xorg, but is not built with PAM support.
Comment 8 Bug Zapper 2010-11-04 08:14:53 EDT
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 9 Tomas Hoger 2010-11-04 10:23:21 EDT
Status mentioned in comment #7 applies to F13, it seems there's no change in F14 and F15/rawhide.  Change is in EL5 and EL6.
Comment 10 Bug Zapper 2011-06-02 14:42:28 EDT
This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 11 Tomas Hoger 2011-06-03 03:00:50 EDT
Confirmed on xorg-x11-server-Xorg-1.9.5-1.fc14, same status as mentioned in comment #7 and comment #9.
Comment 12 Fedora End Of Life 2012-08-07 16:07:49 EDT
This message is a notice that Fedora 15 is now at end of life. Fedora
has stopped maintaining and issuing updates for Fedora 15. It is
Fedora's policy to close all bug reports from releases that are no
longer maintained. At this time, all open bugs with a Fedora 'version'
of '15' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that
we were unable to fix it before Fedora 15 reached end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora, you are encouraged to click on
"Clone This Bug" (top right of this page) and open it against that
version of Fedora.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

The process we are following is described here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 13 Tomas Hoger 2012-08-08 03:55:48 EDT
Confirmed with xorg-x11-server-Xorg-1.11.4-3.fc16, should affect latest rawhide (xorg-x11-server-Xorg-1.12.99.903-6.20120726.fc18) too, as it includes pam config file and does not require pam.
Comment 14 Fedora End Of Life 2013-04-03 15:50:51 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Comment 15 Fedora End Of Life 2015-01-09 16:35:52 EST
This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 16 Tomas Hoger 2015-01-12 03:04:13 EST
Confirmed with xorg-x11-server-1.14.4-13.fc20, does not seem to be fixed in later versions.  Adam, this has a fairly small patch in RHEL, is it intentional that this remains unfixed in Fedora?
Comment 18 Fedora End Of Life 2015-11-04 10:44:23 EST
This message is a reminder that Fedora 21 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 21. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '21'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 21 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 19 Tomas Hoger 2015-11-04 15:08:50 EST
Fixed in F22 by the use of Xorg.wrap and its allowed_users=console default.  Attempt to start X server when logged in via SSH now ends with:

/usr/libexec/Xorg.wrap: Only console users are allowed to run the X server

Note You need to log in before you can comment on or make changes to this bug.